[Rules]


;
;      Name: Name
;    Values: (text)
;   Summary: (optional)
;		Descriptive name of the rule file.
; Behaviour:
;		The descriptive name of the rule file is used for logging purposes to identify the rule file
;		that rejected a certain request. This is useful when two or more rules are
;		logging to the same filename. Defaults to the name of the rule filename on disk.
;
;Name=Default


;
;      Name: VerbAllow
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to filter the http request method.
; Behaviour:
;		If 0, section [VerbDeny] is used to list the http Verbs that are not accepted.
;		If 1, section [VerbAllow] is used to list the http Verbs that are accepted.
;
VerbAllow=1


;
;      Name: ValidHttpVersion
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to specify the allowed http versions submitted in http requests.
; Behaviour:
;		If 0, no validation occurs.
;		If 1, section [ValidHttpVersion] is used to list the accepted http version values.
;
ValidHttpVersion=1


;
;      Name: ValidHostPort
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to specify the allowed host:port pairs in the "Host" header and uri schema.
; Behaviour:
;		If 0, no validation occurs.
;		If 1, the hostname and port number sent in the uri schema and "Host" header
;		value must match the list of Hostname and Port number listed in section [ValidHostPort].
;
ValidHostPort=1


;
;      Name: ExtensionAllow
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to filter the extensions (if any) of the files requested.
; Behaviour:
;		If 0, section [ExtensionDeny] is used to list the extensions that are not accepted.
;		If 1, section [ExtensionAllow] is used to list the allowed extensions sent in a http request.
;
ExtensionAllow=1


;
;      Name: DenyHeaderName
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to specify the headers a http request should not contain.
; Behaviour:
;		If 0, no validation occurs.
;		If 1, section [DenyHeaderName] is used to list the header names that are not accepted in a http request.
;
DenyHeaderName=1


;
;      Name: ValidMaxLenByHeader
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to define thresholds for the number of bytes on specific header values.
; Behaviour:
;		If 0, no validation occurs.
;		If 1, section [ValidMaxLenByHeader] is used limit the accepted maximum sizes (in bytes) 
;		of the request header values of the respective request header names.
;
ValidMaxLenByHeader=1


;
;      Name: DenyUrlSequence, DenyQuerySequence
;    Values: 0, 1 (default)
;   Summary: (optional)
;		Use this key to list the unallowed byte sequences on the url or query string. Sequences can be specified using
;		normal characters like abc or mixed with hexadecimal formats, like ab\x0Ac.
; Behaviour:
;		If 0, no validation occurs.
;		If 1, section [DenyUrlSequence] or [DenyQuerySequence] is used to list the byte sequences not accepted.
;
DenyUrlSequence=1
DenyQuerySequence=1


;
;      Name: AllowDotInUrl
;    Values: 0 (default), 1
;   Summary: (optional)
;		Use this key define if dots '.' are allowed in urls 
;		(the extension dot - if existent - is not part of the filtering).
;		Note: Files are allowed to have a dot before the extension, i.e, /path/my.file.htm is allowed.
; Behaviour:
;		If AllowDotInUrl=0, urls containing a dot '.' before the extension are rejected.
;		If AllowDotInUrl=1, no validation occurs.
;
AllowDotInUrl=0


;
;      Name: AllowHighBitInUrl, AllowHighBitInQuery, AllowHighBitInPayload
;    Values: 0 (default), 1
;   Summary: (optional)
;		High bits are generally used in shellcode and buffer overflow attempts. These keys filter http requests 
;		where the url, query string or payload contains high bit characters (> 0x7F).
; Behaviour:
;		If 0, requests where the url, query string or payload contain high bit characters (> 0x7F) are rejected.
;		If 1, no validation occurs.
;
AllowHighBitInUrl=0
AllowHighBitInQuery=0
AllowHighBitInPayload=1


;
;      Name: CanonUrlBeforeScan, FailOnReCanonUrlChange, CanonQueryBeforeScan, FailOnReCanonQueryChange
;    Values: 0, 1 (default)
;   Summary: (optional)
;		While encoding is needed to transmit non-ascii or special characters, there may be double encoding attempts
;		to bypass the webserver. Canon*BeforeScan decodes the stream once before scanning. FailOnReCanon*Change validates
;		if a second decode step changes the contents of the stream. If the stream changes, the request is rejected.
;		Note: FailOnReCanon*Change has no effect if Canon*BeforeScan is not active.
; Behaviour:
;		If 0, no action occurs.
;		If 1, the respective decode/test actions are peformed.
;
CanonUrlBeforeScan=1
FailOnReCanonUrlChange=1
CanonQueryBeforeScan=1
FailOnReCanonQueryChange=1


;
;      Name: UrlMaxLen, QueryMaxLen, HeaderNameMaxLen, HeaderValueMaxLen, PayloadMaxLen
;    Values: numeric (>= 0)
;   Summary: (optional)
;		Buffer overflows can be prevented by limiting the sizes of the various http components. These keys
;		limit the allowed length of the url, query string, header names and values and payload.
; Behaviour:
;		If specified, limits the length of the respective http component(s).
;
UrlMaxLen=255
QueryMaxLen=1024
HeaderNameMaxLen=50
;HeaderValueMaxLen=255
;PayloadMaxLen=20971520				;20Mb


;
;      Name: ContentLengthMaxValue
;    Values: numeric (>= 0)
;   Summary: (optional)
;		Limits the numeric value specified in the content-length header value.
; Behaviour:
;		If specified, and if the http request contains the request header "Content-Length", 
;		then its numeric value is limited to the specified value.
;
;ContentLengthMaxValue=20971520		;20Mb
ContentLengthMaxValue=255


;
;      Name: RemoveBanner, ChangeBanner
;    Values: 0 (default), 1, text
;   Summary: (optional)
;		Customizes the "Server" response header.
; Behaviour:
;		RemoveBanner determines if the "Server" header is supressed (0) or not (1). If 
;		RemoveBanner=0, then ChangeBanner can be used to specify a new "Server" header 
;		value (if text is specified) or to maintain the default (if no text is specified).
;
RemoveBanner=0
ChangeBanner=Don't Touch My Stuff


;
;      Name: RejectPage
;    Values: path (text)
;   Summary: (optional)
;		Assigns the path of the html page to send back when a request is rejected.
;		Note: Environment variables are allowed.
; Behaviour:
;		If no path is specified, then requests will only be filtered and not rejected. 
;
RejectPage=%WINDIR%\help\iisHelp\common\404b.htm


;
;      Name: LogFilesDir
;    Values: path (text)
;   Summary: (optional)
;		Defines the directory where to store the log files.
; Behaviour:
;		If not specfied, the logfiles directory defaults to the current directory.
;
;LogFilesDir=c:\IisShield\Logs


;
; See "VerbAllow" key
;
[VerbAllow]
GET
POST
HEAD

[VerbDeny]
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH


;
; See "ValidHttpVersion" key
;
[ValidHttpVersion]
HTTP/0.9
HTTP/1.0
HTTP/1.1


;
; See "ExtensionAllow" key
;
[ExtensionAllow]
.css
.aspx
.asp
.htm
.html
.txt
.jpg
.jpeg
.gif

[ExtensionDeny]
.cer
.cdx
.asa
.exe
.bat
.cmd
.com
.htw
.ida
.idq
.htr
.idc
.shtm
.shtml
.stm
.printer
.ini
.log
.pol
.dat
.inc


;
; See "ValidHostPort" key
;
[ValidHostPort]
void
172.16.0.10
localhost
127.0.0.1
void:80
172.16.0.10:80
localhost:80
127.0.0.1:80
void:90
172.16.0.10:90
localhost:90
127.0.0.1:90
void:91
172.16.0.10:91
localhost:91
127.0.0.1:91


;
; See "DenyHeaderName" key
;
[DenyHeaderName]
Translate
If
Lock-Token
Transfer-Encoding


;
; See "ValidMaxLenByHeader" key
;
[ValidMaxLenByHeader]
Content-Length=10
Referer=250


;
; See "DenyUrlSequence" key
;
[DenyUrlSequence]
..
./
\
:
%
&


;
; See "DenyQuerySequence" key
;
[DenyQuerySequence]
..
./
\
:
\x3B
